[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] QEMU's CVE Procedures
|
From: |
Gonglei |
|
Subject: |
Re: [Qemu-devel] QEMU's CVE Procedures |
|
Date: |
Mon, 8 Jun 2015 20:44:25 +0800 |
|
User-agent: |
Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 |
On 2015/6/6 6:16, John Snow wrote:
> (6) What about qemu-stable?
>
> Our stable process is somewhat lacking with respect to the CVE
> process. It is good that we occasionally publish stable fix roundups
> that downstream maintainers can base their work off of, but it would
> be good to have a branch where we can have CVE fixes posted promptly.
>
Good point.
In our team, when a CVE fix posted in upstream, we should fix all other Qemu
versions manually. Sometimes, the involved files are quite different between
different Qemu branches. It's too expensive when you have so many different
branches need to maintain. :(
>
> (7) How long should we support a stable branch?
>
> We should figure out how many stable release trees we actually intend
> to support: The last two releases? The last three?
>
> My initial guess is "Any stable branch should be managed for at least
> a year after initial release."
>
> This would put our current supported releases as 2.1, 2.2 and 2.3, so
> about ~3 managed releases seems sane as an initial effort.
Regards,
-Gonglei